Creates agnes-deploy SA with Terraform-scoped roles, GCS tfstate bucket, and generates a JSON key. Idempotent — safe to re-run. Expanded .gitignore to block *-key.json files from ever being committed.
